Generic PKCS#11 HSM Provider
PrivX can be configured at install time to use a generic PKCS#11 HSM. You can use this for testing PrivX with HSMs that are not explicitly supported.
SSH does not provide support for the generic PKCS#11 HSM configuration option. Using it in production deployments is not recommended.
The following configuration options are prompted when configuring PrivX to use the generic-pkcs11
provider:
- PKCS#11 provider library path
- Slot
- Pin
- Optional feature flags:
aes-gcm-zero-iv
: Supply all-zeros IV for AES-GCM encrypt and let HSM generate the IVaes-gcm-luna-random-iv
: Supply zero length IV for AES-GCM encrypt and let HSM generate the IV (used with Safenet Luna)aes-gcm-padding
: Pad input to AES-GCM encrypt using the PKCS#7 padding methodsym-key-size-in-bits
: HSM reports symmetric key size in bitsfips-mode
: Disable functionality that is not supported when HSM is in FIPS modeserialize-ops
: Serialize all PKCS#11 provider library callsdisable-object-cache
: Disable internal object handle cachingvormetric-mode
: Enable Thales Vormetric DSM specific functionalityncipher-mode
: Enable nCipher HSM specific functionality
- Keyvault symmetric-encryption algorithm:
AES128withGCM
: AES-GCM with 128 bit key sizeAES256withGCM
: AES-GCM with 256 bit key sizeAES128withGCMPkcs7Pad
: AES-GCM with 128 bit key size using PKCS#7 padding for plaintextAES256withGCMPkcs7Pad
: AES-GCM with 256 bit key size using PKCS#7 padding for plaintext